---
layout: docs
page_title: "1.17.0 release notes"
description: |-
  Key updates for  Vault 1.17.0
---

# Vault 1.17.0 release notes

**GA date:** 2024-06-12

@include 'release-notes/intro.mdx'

## Important changes

| Change                                         | Description                                                                                                                                                                                      |
|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| New default (1.17)                             | [Allowed audit headers now have unremovable defaults](/vault/docs/upgrading/upgrade-to-1.17.x#audit-headers)                                                                                     |
| Opt out feature (1.17)                         | [PKI sign-intermediate now truncates `notAfter` field to signing issuer](/vault/docs/upgrading/upgrade-to-1.17.x#pki-truncate)                                                                   |
| Beta feature deprecated (1.17)                 | [Request limiter deprecated](/vault/docs/upgrading/upgrade-to-1.17.x#request-limiter)                                                                                                            |
| New required parameter  (1.17)                 | [JWT auth login requires `bound_audiences` parameter on role](/vault/docs/upgrading/upgrade-to-1.17.x#jwt-auth-login-requires-bound-audiences-on-the-role)                                       |
| Known issue (1.17.0+)                          | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/upgrading/upgrade-to-1.17.x#pki-ocsp)                                                                                     |
| Known issue (1.17.0)                           | [Vault Agent and Vault Proxy consume excessive amounts of CPU](/vault/docs/upgrading/upgrade-to-1.17.x#agent-proxy-cpu-1-17)                                                                     |
| Known issue (1.15.8 - 1.15.9, 1.16.0 - 1.16.3) | [Autopilot upgrade for Vault Enterprise fails](/vault/docs/upgrading/upgrade-to-1.16.x#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version)                                 |
| Known issue (1.17.0 - 1.17.2)                  | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/upgrading/upgrade-to-1.17.x#dangling-entity-alias-in-memory)                                       |
| Known issue (1.17.0 - 1.17.3)                  | [AWS Auth AssumeRole requires an external ID even if none is set](/vault/docs/upgrading/upgrade-to-1.17.x#aws-auth-role-configuration-requires-an-external_id)                                   |
| Known Issue (0.7.0+)                           | [Duplicate identity groups created](/vault/docs/upgrading/upgrade-to-1.17.x#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster)             |
| Known Issue (0.7.0+)                           | [Manual entity merges fail](/vault/docs/upgrading/upgrade-to-1.17.x#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage)                                            |
| Known Issue (1.17.3-1.17.4)                    | [Some values in the audit logs not hmac'd properly](/vault/docs/upgrading/upgrade-to-1.17.x#client-tokens-and-token-accessors-audited-in-plaintext)                                              |
| Known Issue (1.17.0-1.17.5)                    | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/upgrading/upgrade-to-1.17.x#cached-activation-flags-for-secrets-sync-on-follower-nodes-are-not-updated) |
| New default (1.17.9)                           | [Vault product usage metrics reporting](/vault/docs/upgrading/upgrade-to-1.17.x#product-usage-reporting)                                                                                         |
| Deprecation (1.17.9)                           | [`default_report_months` is deprecated for the `sys/internal/counters` API](/vault/docs/upgrading/upgrade-to-1.17.x#activity-log-changes)                                                        |

## Vault companion updates

Companion updates are Vault updates that live outside the main Vault binary.

**None**.

## Core updates

Follow the learn more links for more information, or browse the list of
[Vault tutorials updated to highlight changes for the most recent GA release](/vault/tutorials/new-release).

<table>
  <thead>
    <tr>
      <th style={{verticalAlign: 'middle'}}>Release</th>
      <th style={{verticalAlign: 'middle'}}>Update</th>
      <th style={{verticalAlign: 'middle'}}>Description</th>
    </tr>
  </thead>
  <tbody>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      Security patches
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
    <td style={{verticalAlign: 'middle'}}>
      Various security improvements to remediate varying severity and
      informational findings from a 3rd party security audit.
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      Vault Agent and Vault Proxy self-healing tokens
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
    <td style={{verticalAlign: 'middle'}}>
      Auto-authentication avoids agent/proxy restarts and config changes by
      automatically re-authenticating authN tokens to Vault.
      <br /><br />
      Learn more: <a href="/vault/docs/agent-and-proxy/autoauth">Vault Agent and Vault Proxy auto-auth</a>
    </td>
  </tr>

  </tbody>
</table>

## Enterprise updates

<table>
  <thead>
    <tr>
      <th style={{verticalAlign: 'middle'}}>Release</th>
      <th style={{verticalAlign: 'middle'}}>Update</th>
      <th style={{verticalAlign: 'middle'}}>Description</th>
    </tr>
  </thead>
  <tbody>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      Adaptive overload protection
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>BETA</td>
    <td style={{verticalAlign: 'middle'}}>
      Prevent client requests from overwhelming a variety of server resources
      that could lead to poor server availability.
      <br /><br />
      Learn more: <a href="/vault/docs/concepts/adaptive-overload-protection">Adaptive overload protection overview</a>
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      ACME Client Count
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
    <td style={{verticalAlign: 'middle'}}>
      To improve clarity around client counts, Vault now separates ACME clients
      from non-entity clients.
    </td>
  </tr>

  <tr>
    <td rowSpan={2} style={{verticalAlign: 'middle'}}>
      Public Key Infrastructure (PKI)
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Automate certificate lifecycle management for IoT/EST enabled devices with
      native EST protocol support.
      <br /><br />
      Learn more: <a href="/vault/docs/secrets/pki/est">Enrollment over Secure Transport (EST)</a> overview
    </td>
  </tr>

   <tr>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Submit custom metadata with certificate requests and store the additional
      information in Vault for further analysis.
      <br /><br />
      Learn more: <a href="/vault/api-docs/secret/pki#metadata">PKI secrets engine API</a>
    </td>
  </tr>
  <tr>
    <td rowSpan={3} style={{verticalAlign: 'middle'}}>
      Resource management
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>ENHANCED</td>
    <td style={{verticalAlign: 'middle'}}>
      Vault now supports a greater number of namespaces and mounts for
      large-scale Vault installations.
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Use hierarchical mount paths to organize, manage, and control access to
      secret engine objects.
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Safely override the max entry size to set different limits for specific
      storage entries that contain mount tables, auth tables and namespace
      configuration data.
      <br /><br />
      Learn more: <a href="/vault/docs/configuration/storage/raft#max_mount_and_namespace_table_entry_size"><code>max_mount_and_namespace_table_entry_size</code> parameter</a>
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      Transit
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Use cipher-based message authentication code (CMAC) with AES symmetric
      keys in the Vault Transit plugin.
      <br /><br />
      Learn more: <a href="/docs/secrets/transit#aes256-cmac">CMAC support</a>
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      Plugin identity tokens
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Enable AWS, Azure, and GCP authentication flows with workload identity
      federation (WIF) tokens from the associated secrets plugins without
      explicitly configuring sensitive security credentials.
      <br /><br />
      Learn more: <a href="/vault/docs/secrets/aws#plugin-workload-identity-federation-wif">Plugin WIF overview</a>
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      LDAP Secrets Engine
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Use hierarchical paths with roles and set names to define policies that
      map 1-1 to LDAP secrets engine roles.
      <br /><br />
      Learn more: <a href="/vault/docs/secrets/ldap#hierarchical-paths">Hierarchical paths</a> overview
    </td>
  </tr>

  <tr>
    <td style={{verticalAlign: 'middle'}}>
      Clock skew and lag detection
    </td>
    <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
    <td style={{verticalAlign: 'middle'}}>
      Use the <code>sys/health</code> and <code>sys/ha-status</code> endpoints
      to display lags in performance secondaries and performance standby nodes.
      <br /><br />
      Learn more: <a href="/vault/docs/enterprise/consistency#clock-skew-and-replication-lag">Clock skew and replication lag</a> overview
    </td>
  </tr>

  </tbody>
</table>

## Feature deprecations and EOL

Deprecated in 1.17 | Retired in 1.17
------------------ | ---------------
None               | Centrify Auth plugin

@include 'release-notes/deprecation-note.mdx'
